Permissions Windows Does Not Show You

Sometimes it is good not to know the truth, but as an administrator you better know what is going on! Most IT pros know that Explorer lies a lot (on a German system C:\Users magically becomes C:\Benutzer), but few are aware that Windows’ permission handling dialog ACL Editor also tends to “pretty up” things.

Example

If we examine the permissions of the registry key HKLM\Software from within Regedit, the default view does not show anything out of the ordinary:

Regedit - HKLM-Software - Standard view

Neither does the advanced view:

Regedit - HKLM-Software - Advanced view

But when examining the same key in SetACL Studio we see what is really stored in the ACL:

SetACL Studio - HKLM-Software - verbose

Wow! We suddenly see 8 entries instead of 4!

Many default permissions in Windows are configured rather inelegantly, and those set on HKLM\Software are not different. Not only does the Access Control List contain multiple ACE pairs that differ only by their inheritance settings and could be combined into one (e.g. Users and System), it also has one duplicate Access Control Entry (Administrators - full control - this key only). Similar default permissions are used in many places throughout the operating system, just check the ACL of drive C:, for example.

Windows ACL Editor lies to you whether you want it to or not. SetACL Studio shows you the unfiltered reality, but it can lie, too. It does that only if you want it to, though, prettying reality up a bit. For HKLM\Software the result looks like this:

SetACL Studio - HKLM-Software - normal

About SetACL Studio

SetACL Studio combines an intuitive user interface with the power of SetACL into a permission management tool that works with the file system, the registry, printers, services, shares and WMI objects. It supports very long paths (the kind Explorer cannot handle) and shows you every corner of the system, regardless of current permissions.

Different from most systems management tools, SetACL Studio is extremely easy to use, has a great UI and comes with undo.

ACLACL EditorDACLPermissionsSetACL Studio

Comments

Related Posts

Finding (Executables in) User-Writeable Directories

Finding (Executables in) User-Writeable Directories
This article presents two different detection types for insecure filesystem permissions on Windows endpoints: scanning for directories that are user-writable, and detecting processes that are started from user-writeable directories. Directory Scan With ListUserWriteableDirectories & SetACL My ListUserWriteableDirectories script is an implementation of the first detection type: it scans the filesystem listing any permissions not known to be safe.
Security

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware